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Notices 


Copyright  2015  Carnegie  Mellon  University 

This  material  is  based  upon  work  funded  and  supported  by  the  Department  of  Defense  under 
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Four  Key  Functions  of  a  Modern  CISO 


Focus  of 

Today’s  Discussion 


Monitor  /  Hunt 


Recover  /  Sustain 


Protect  /  Shieid 


Manage  /  Govern 
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Key  Issues 


•  What  are  the  real-world  insights  from  recent 
cyber  incidents? 

•  How  does  preparedness  planning  for  cyber 
incidents  differ  from  traditional  BCM  planning? 

•  How  can  organizations  align  BCM  with  their 
cybersecurity  efforts? 
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Setting  the  Stage: 

•  What  are  the  real-world  Insights  from 
recent  cyber  Incidents? 

•  Why  Is  the  subject  Important? 


Cyber  Intrusions  are  a  Fact  of  Life 
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Prevention  Activities  Faii  Short 


>  Is  necessary 

>  Is  not  Sufficient 

>  Fails  too  frequently 


Manage  /  Govern 


Recover  /  Sustain 


Monitor  /  Hunt 
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...there  are  only  two  types  of  companies: 
those  that  have  been  hacked  and  those  that 
will  be... 

. .  .and  even  they  are  converging  into 
one  category:  companies  that  have 
been  hacked  and  will  be  hacked 
again . . . 


Robert  S.  Mueller,  III 
Former  Director  of  FBI 
March  1,  2012 
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Prevention  Activities  Faii  Short 


>  Is  necessary 

>  Is  not  Sufficient 

>  Not  immediate 

>  Takes  too  iong 


Protect  /  Shield 


Recover  /  Sustain 


Manage  /  Govern 
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Targeted  Attacks  are  Hard  to  Detect 


How  are  compromises 
detected? 

• 

How  long  before  the 
compromises  are 
detected? 

69% 

205 

of  victims  were  notified 

median  number  of  days 

by  an  external  entity 

before  detection 

SOURCE:  Mandiant®  “M-Trends®  2015:  A  View  from  the  Front  Lines”  Report 
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Most  Frequent  Cyber  Attacks  Fallouts 


•  Disclosure  of  operationally  sensitive  information 

•  Disclosure  of  privately  identifiable  information 

•  Theft  of  intellectual  property 

•  Theft  of  user  access  credentials 

•  Loss  of  credit  card  information 

•  Disclosure  of  classified  information 

•  Revealing  of  company  proprietary  information 

•  Exposure  of  corporate  email  messages 

•  Identifying  oppositions  and  enemies 

•  Leak  of  trade  secrets 

•  Nuisance 

•  Reputation  damage 

•  Hacktivism  -  Delivering  political  or  social  message 

•  Blackmailing 
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However, 

adversaries  are  interested  in  more... 


•  Deleting  and  destroying  data 

•  Causing  operational  havoc 

•  Physical  harm  to  people 

•  Physical  damage  to  infrastructure 

•  Destruction  of  physical  goods 

•  Damaging  critical  infrastructure 

•  Affecting  delivery  of  products  and  services 

•  Shutting  down  day-to-day  business  operations 
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Example:  Sony  Pictures  Cyber  Incident 


Data  Exfiltration 


Reputation 
Revenue  Loss 


-  Over  1 00  terabytes  SON'^ 

•  Business  Operations  pictures 

-  Damaged  information  technology  infrastructure 

-  Hackers  implanted  and  executed  malware  that  destroyed  data 

-  Malware  with  capability  to  overwrite  master  boot  records  and  data  files 

•  Legal 

-  Employees  have  filed  four  lawsuits  against  the  company  for  not  protecting  their  data 

•  Breach  Expenses 

-  In  its  first  quarter  financials  for  2015,  Sony  Pictures  set  aside  $15  million  to  deal 
with  ongoing  damages  from  the  hack. 
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and  therefore 


Needs  special  attention 
within  the  realm  of 
information  security 


Protect  /  Shield 


Monitor  /  Hunt 


Recover  /  Sustain 


Manage  /  Govern 
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Guidnace: 

How  does  preparedness  planning  for  cyber  incidents 
differ  from  traditional  BCM  planning? 

How  can  organizations  align  BCM  with  their 
cybersecurity  efforts? 


Considerations  for 


Developing  /.  Business  Continuity  \  plcins  for  execution  in  cyber-affected  environments 

- y  •  IT  Disaster  Recovery  V - 

/  •  Incident  Response  \ 

•  Crisis  Management 

•  Continuity  of  Operations 

•  Emergency  Management, 

\  •  Crisis  Communications  / 

\  •  Workforce  Continuity  f 

Executing  V  /  plans  in  cyber-affected  environments 
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Consider  This  Scenario 


•  Adversary’s  long-term  and  established  presence  in  your  environment 
has  been  confirmed  (e.g.,  through  investigative  and  forensic 
activities). 

•  Adversary  has  been  observing  and  learning  your  environment  for 
some  extended  time. 

•  Adversary  has  proliferated  customized  malware  on  strategic 
elements  of  your  IT  and  operational  technology  (OT)  infrastructure. 

•  Adversary  has  exfiltrated  confidential  information. 

•  Adversary  has  just  made  operationally  disruptive  moves,  for  example 

-  Physical  and  logical  damage  to  IT  infrastructure 

-  Physical  and  logical  damage  to  OT  infrastructure 

-  Data  destruction 

•  Day-to-day  business  operations  have  negatively  been  affected 


i.e.,  it  is  time  to  execute  one  or  more  of  your  preparedness  pians 
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Things  to  Consider  (i.e.,  Diiemmas) 


Do  you  try  to  get  the  adversary  out  of  your 
environment  before  starting  recovery  and 
restoration  activities? 


>  Have  you  finished  investigative  and  forensic 
activities  before  disturbing  the  adversary? 
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Things  to  Consider  (i.e.,  Diiemmas) 


Do  you  try  to  get  the  adversary  out  of  your 
environment  before  starting  recovery  and 
restoration  activities? 


>  Is  there  a  chance  that  the  adversary  may  try  to 
do  major  damage  if  it  notices  that  you  are  trying 
to  kick  it  out? 
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Example:  Cyber  Attack  on 


kll  http://web.arc...odespaces.com/ 


s-  web,archive.org/web/20140619124721/http://wvvw.codespaces.com/ 


Ei  "code  spaces” 

p 

n  <r  m  ^  -  [1  = 

We  are  experiencing  massive  demand  on  our  support  capacity,  we  are  going  to  get  to  everyone  it 
will  just  take  time. 


Code  Spaces  :  Is  Down! 


Dear  Customers, 


On  Tuesday  the  17th  of  June  2014  we  received  a  well  orchestrated  DDOS  against  our  servers,  this  happens 
quite  often  and  we  normally  overcome  them  In  a  way  that  is  transparent  to  the  Code  Spaces  community.  On  this 
occasion  however  the  DDOS  was  just  the  start. 

An  unauthorised  person  who  at  this  point  who  is  still  unknown  (All  we  can  say  is  that  we  have  no  reason  to  think 
its  anyone  who  is  or  was  employed  with  Code  Spaces)  had  gained  access  to  our  Amazon  EC2  control  panel  and 
had  left  a  number  of  messages  for  us  to  contact  them  using  a  hotmail  address 

Reaching  out  to  the  address  started  a  chain  of  events  that  revolved  arount  the  person  trying  to  extort  a  large  fee 
in  order  to  resolve  the  DDOS. 

Upon  realisation  that  somebody  had  access  to  our  control  panel  we  started  to  investigate  how  access  had  been 
gained  and  what  access  that  person  had  to  the  data  in  our  systems,  it  became  clear  that  so  far  no  machine 
ac^s^ad^e^ac^ev^  d^  tMhejntruderjiot  havinc[ou^Prj^t^e^  *******^ 

^  At  this  point  we  took  action  to  take  control  back  of  our  panel  by  changing  passwords,  however  the  intruder  had  ^ 

(prepared  for  this  and  had  already  created  a  number  of  backup  logins  to  the  panel  and  upon  seeing  us  make  the  ^ 
attempted  recovery  of  the  account  he  proceeded  to  randomly  delete  artifacts  from  the  panel.  We  finally  managed  | 
^  to  get  our  panel  access  back  but  not  before  he  had  removed  all  EBS  snapshots,  S3  buckets,  all  AMI's,  some  y 
^EBS  instances  and  several  machine  instances.  y 

In  summary,  most  of  our  data,  backups,  machine  configurations  and  offsite  backups  were  either  partially 
or  completely  deleted. 
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Things  to  Consider  (i.e.,  Diiemmas) 


Do  you  try  to  get  the  adversary  out  of  your 
environment  before  starting  recovery  and 
restoration  activities? 


>  How  long  will  it  take  you  to  get  the  adversary 
out? 

(What  did  you  say  was  your  RTO?) 
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Things  to  Consider  (i.e.,  Diiemmas) 


Do  you  try  to  get  the  adversary  out  of  your 
environment  before  starting  recovery  and 
restoration  activities? 


>  How  will  you  be  sure  that  the  adversary  is  no 
longer  around? 
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Things  to  Consider  (i.e.,  Diiemmas) 


Do  you  try  to  get  the  adversary  out  of  your  environment 
before  starting  recovery  and  restoration  activities? 


>  Is  your  enterprise  systems  (e.g.,  email,  Internet  access, 
file  shares,  printers,  PBX,  VoIP)  available? 

■  YES: 

o  Then  the  adversary  is  most  probably  monitoring  (listening)  to 
every  move  you  make. 

o  How  will  you  keep  your  execution  plan  a  secret? 

■  NO: 

o  Do  you  have  alternative  system  (not  on  your  infrastructure)  that 
you  can  use  to  manage  the  incident? 
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Things  to  Consider  (i.e.,  Diiemmas) 


Do  you  try  to  get  the  adversary  out  of  your 
environment  before  starting  recovery  and 
restoration  activities? 


>  While  rebuilding  damaged/destroyed/corrupted  systems, 
how  would  you  ensure  that  the  adversary  won’t  get  into 
these  newly  built  infrastructure  while  building  them  on 
your  currently  (infected)  environment? 
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In  Closing 


1 


Modern  Cyber  Attacks  Can  Disrupt 
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Therefore, 


All  preparedness  planning  activities... 

•  IT  Disaster  Recovery 

•  Business  Continuity 

•  Continuity  of  Operations 

•  Emergency  Management 

•  Incident  Response 

•  Crisis  Communications 

•  Workforce  Continuity 

•  Etc... 

...  must  explicitly  incorporate  matters  related  to 
cybersecurity  risk,  cyber  attacks,  and  cyber- 
enhanced  incidents  into  their  planning,  testing,  and 
execution  processes. 
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Factors  Affecting  Cost  of  Data  Breach 


Lost  or  stolen  devices 

$16.10 

Third  party  involvement 

$14.80 

Quick  notification 

$10.45 

Consultants  engaged 

■  $2.10 

CISO  appointed  $(6.59)  ■■■■III 

BCM  involvement  $(S.98) 

Incident  response  plan  $(12.77) 

Strong  security  posture  $(14.14) 

Per  Capita  Cost 

\ 


Business  continuity  management  reduced  the  cost  of  a  breach.  For  the  first  time,  the 
research  reveals  that  having  business  continuity  management  involved  in  the  remediation  of 
the  breach  can  reduce  the  cost  by  an  average  of  $8.98  per  compromised  record. 


SOURCE:  Ponemon  2014  Cost  of  Data  Breach  Study 
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